Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 21:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe
-
Size
132KB
-
MD5
0020351cc4c2a3ea6e0b1fc5fa684fe3
-
SHA1
626f9da100fe83bbee5a25d52b87a3d4b48be5c9
-
SHA256
a67915345f7a32e7c40c51469a983ae18b731a658c04e370f2674ce8246c32dd
-
SHA512
e109d10bb84c33c246b1ba55c29949d2027389a5ad8d6c22770fefbbe162024dcedd573b69537109743b6dde0d85b6cebfd5e4460eef58d22c852a0325fcbdad
-
SSDEEP
3072:qTu19iMnR4ueRRKAQWXpr5r3/47hpK1W:qy1RrGFQ6r5c7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4444 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 4444 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 3388 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 3388 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 1636 plaindsm.exe 1636 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe 3436 plaindsm.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3388 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4444 wrote to memory of 3388 4444 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 86 PID 4444 wrote to memory of 3388 4444 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 86 PID 4444 wrote to memory of 3388 4444 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 86 PID 1636 wrote to memory of 3436 1636 plaindsm.exe 94 PID 1636 wrote to memory of 3436 1636 plaindsm.exe 94 PID 1636 wrote to memory of 3436 1636 plaindsm.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:3388
-
-
C:\Windows\SysWOW64\plaindsm.exe"C:\Windows\SysWOW64\plaindsm.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\plaindsm.exe"C:\Windows\SysWOW64\plaindsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3436
-